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Abstract. We introduce the class of rational Kripke models and study 
symbolic model checking of the basic tense logic Kt and some extensions 
of it in models from that class. Rational Kripke models are based on (gen- 
erally infinite) rational graphs, with vertices labeled by the words in some 
regular language and transitions recognized by asynchronous two-head 
finite automata, also known as rational transducers. Every atomic propo- 
sition in a rational Kripke model is evaluated in a regular set of states. 
We show that every formula of Kt has an effectively computable regu- 
lar extension in every rational Kripke model, and therefore local model 
checking and global model checking of K t in rational Kripke models 
are decidable. These results are lifted to a number of extensions of Kt. 
We study and partly determine the complexity of the model checking 
procedures. 



1 Introduction 

Verification of models with infinite state spaces using algorithmic symbolic model 
checking techniques has been an increasingly active area of research over recent 
years. One very successful approach to infinite state verification is based on the 
representation of sets of states and transitions by means of automata. It is the 
basis of various automata-based techniques for model checking, e.g., of linear 
and branching-time temporal logics on finite transition systems 23.17;, regular 
model checking [7J, pushdown systems |8l24lllj . automatic structures [1416] etc. 
In most of the studied cases of infinite-state symbolic model checking (except for 
automatic structures), the logical languages are sufficiently expressive for various 
reachability properties, but the classes of models are relatively restricted. 

In this paper we study a large and natural class of rational Kripke models, 
on which global model checking of the basic tens^l logic K t (with forward and 
backward one-step modalities) and of some extensions thereof, are decidable. The 
language of K t is sufficient for expressing local properties, i.e., those referring to 
a bounded width neighborhood of predecessors or successors of the current state. 



3 We use the term 'tense' rather than 'temporal' to emphasize that the accessibility 
relation is not assumed transitive, as in a usual flow of time. 



In particular, pre-conditions and post-conditions are local, but not reachability 
properties. Kesten et al [TS] have formulated the following minimal requirements 
for an assertional language C to be adequate for symbolic model checking: 

1. The property to be verified and the initial conditions (i.e., the set of initial states) 
should be expressible in L. 

2. C should be effectively closed under the boolean operations, and should possess 
an algorithm for deciding equivalence of two assertions. 

3. There should exist an algorithm for constructing the predicate transformer 
pred, where pred(4>) is an assertion characterizing the set of states that have a 
successor state satisfying cj>. 

Assuming that the property to be verified is expressible in K t , the first con- 
dition above is satisfied in our case. Regarding the set of initial states, it is 
usually assumed a singleton, but certainly an effective set, and it can be repre- 
sented by a special modal constant S. The second condition is clearly satisfied, 
assuming the equivalence is with respect to the model on which the verification 
is being done. As for the third condition, pred(4>) = (R) <f>. Thus, the basic modal 
logic K is the minimal natural logical language satisfying these requirements, and 
hence it suffices for specification of pre-conditions over regular sets of states. The 
tense extension Kt enables specification of post-conditions, as well, thus being 
the basic adequate logic for specifying local properties of transition systems and 
warranting the potential utility of the work done in the present paper. In par- 
ticular, potential areas of applications of model checking of the basic tense logic 
to verification of infinite state systems are bounded model checking [2], applied 
to infinite state systems, and (when extended with reachability) regular model 
checking [7] - a framework for algorithmic verification of generally infinite state 
systems which essentially involves computing reachability sets in regular Kripke 
models. 

The paper is organized as follows: in Section [2j we introduce K t and rational 
transducers. Section [3] introduces and discusses rational Kripke models, and in 
Section [4] we introduce synchronized products of transducers and automata. 
We use them in Section [5] to show decidability of global and local symbolic 
model checking of K t in rational Kripke models and in Section [5] we discuss its 
complexity. The model checking results are strengthened in Section [7| to hybrid 
and other extensions of H t (U), for which some model checking tasks remain 
decidable. 

2 Preliminaries 

2.1 The basic tense logic K t 

We consider transition systems with one transition relation R. The basic tense 
logic K t for such transition systems extends the classical propositional logic with 
two unary modalities: one associated with R and the other with its inverse R , 
respectively denoted by [R] and [i? -1 ]. The generalization of what follows to 



the case of languages and models for transition systems with many relations is 
straightforward. Note that the relation R is not assumed transitive, and therefore 
the language of K t cannot express R- reachability properties. 

2.2 Rational transducers and rational relations 

Rational transducers, studied by Eilenberg [S], Elgot and Mezei [TU], Nivat, 
Bcrstel [T], etc., are asynchronous automata on pairs of words. Intuitively, these 
arc finite automata with two autonomous heads that read the input pair of words 
asynchronously, i.e. each of them can read arbitrarily farther ahead of the other. 
The transitions are determined by a finite set of pairs of (possibly empty) words; 
alternatively, a transition can be labeled either by a pair of letters (when both 
heads make a move on their respective words) or by (a, e) or (e, a), where a is a 
letter, and e is the empty word (when one of the heads reads on, while the other 
is waiting). The formal definition follows. 

Definition 1. A (rational) transducer is a tuple T = (Q, S, r, qi, F, p) where 
S and r are the input and output alphabets respectively, Q a set of states, qi £ Q 
a unique starting state, F C Q a set of accepting states and p C Q x (SU {e}) x 
(r U {e}) x Q is the transition relation, consisting of finitely many tuples, each 
containing the current state, the pair of letters (or e) triggering the transition, 
and the new state. Alternatively, one can take pCQx S* x T* x Q. 

The language recognized by the transducer T is the set of all pairs of words 
for which it has a reading that ends in an accepting state. Thus, the transducer 
T recognizes a binary relation R C S* x r* . 

This is the 'static' definition of rational transducers; they can also be defined 
'dynamically', as reading an input word, and transforming it into an output 
word, according to the transition relation which is now regarded as a mapping 
from words to sets of words (because it can be non-deterministic) . 

Example 1. For T = (Q, S, T, qi, F, p) let: Q = {q x , q 2 } ; S — {0, 1} = T; % = 
qi, F = {q 2 };p = {(£?i,0,0,gi) , (gi,l, l,qi) , (q 1 ,e,0,q 2 ) , (<ji, e, 1, q 2 )} 

Notice that in the representation of T there is only one edge between two 
states but that an edge may have more than one label. 

A relation R C U* x _T* is rational if it is recognizable by a rational trans- 
ducer. Equivalently (see [T]), given finite alphabets S,r, a (binary) rational 
relation over (E, r) is a rational subset of U* xf, i.e., a subset generated by 
a rational expression (built up using union, concatenation, and iteration) over a 
finite subset of S* x r*. Hereafter, we will assume that the input and output 
alphabets S and r coincide. 

Besides the references above, rational relations have also been studied by 
Johnson [T3] , Frougny and Sakarovich [T2] , and more recently by Morvan [5D] ■ It 
is important to note that the class of rational relations is closed under unions, 
compositions, and inverses [1] . On the other hand, the class of rational relations 
is not closed under intersections, complements, and transitive closure (ibid). 



Fig. 1. The transducer T which recognizes pairs of words of the forms (u,uO) 
or (u,ul) where u G E* 
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3 Rational Kripke models 
3.1 Rational graphs 

Definition 2. A graph Q = (S,E) is rational, if the set of vertices S is a 
regular language in some finite alphabet E and the set of edges E is a rational 
relation on S . 

Example 2. The infinite grid. Let E = {0, 1}, then the infinite grid with ver- 
tices in E* is given by Figure [2] and the edge relation of this graph is recognized 
by the transducer given in Figure [2j 



Fig. 2. The infinite grid with set of vertices S = 0*1* and a transducer that 
recognizes the infinite grid. 
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Example 3. The complete binary tree A. 

Figurc[3]contains the complete binary tree with vertices in {0, 1}* and labeled 
by r — {a, b}, as well as the transducer recognizing it, in which the accepting 
states are labeled respectively by a and b. The pairs of words for which the 
transducer ends in the accepting state belong to the left successor relation in 
the tree (labeled by a) , and those for which the transducer ends in the accepting 
state q 5 belong to the right successor relation in the tree (labeled by b). 



Fig. 3. The complete binary tree A and a labeled transducer recognizing it. 




An important and extensively studied subclass of rational graphs is the class 
of automatic graphs [1416] . These are rational graphs whose transition relations 
are recognized by synchronized transducers. 

As shown by Blumensath [5] , the configuration graph of every Turing machine 
is an automatic graph. Consequently important queries, such as reachability, 
are generally undecidable on automatic graphs, and hence on rational graphs. 
Furthermore, Morvan showed in [5D] that the configuration graphs of Petri nets 
[2T] are rational (in fact, automatic) graphs, too. 

Moreover, Johnson [13] proved that even very simple first-order definable 
properties of a rational relation, e.g., reflexivity, transitivity, symmetry, turn out 
to be undecidable (with an input the transducer recognizing the relation), by re- 
duction from the Post Correspondence Problem (PCP). Independently, Morvan 
[5U] has shown that the query BxRxx on rational frames is undecidable, as well. 
The reduction of PCP here is straightforward: given a PCP {(mi, «i), . . . , (u n , v n )}, 
consider a transducer with only one state, which is both initial and accepting, 
and it allows the transitions (u\, Vi), . . . , (u n , v n ). Then, the PCP has a solution 
precisely if some pair (w, w) is accepted by the transducer. Inclusion and equality 
of rational relations are undecidable, too, [T]. 

Furthermore, in [33] W. Thomas has constructed a single rational graph with 
undecidable first-order theory by encoding the halting problem of a universal 
Turing machine. 



3.2 Rational Kripke models 



Rational graphs can be viewed as Kripke frames, hereafter called rational Kripke 
frames. 

Definition 3. A Kripke model M. = (J 7 , V) = (S,R,V) is a rational Kripke 

model ( RKM) if the frame J- is a rational Kripke frame, and the valuation V 
assigns a regular language to each propositional variable, i.e., V (jp) G REG (£*) 
for every p £ <S>. A valuation satisfying this condition is called a rational valua- 
tion. 

Example 4- In this example we will present a RKM based on the configuration 
graph of a Petri net. To make it self-contained, we give the basic relevant def- 
initions here; for more detail see e.g., [21]. A Petri net is a tuple (P,T, F, M) 
where P and T are disjoint finite sets and their elements are called places and 
transitions respectively. F : (P x T) U (T x P) — > N is called a flow function 
and is such that if F (x,y) > then there is an arc from x to y and F(x,y) 
is the multiplicity of that arc. Each of the places contain a number of tokens 
and a vector of integers M G is called a configuration (or, marking) of the 
Petri net if the \ th component of M is equal to the number of tokens at the i th 
place in the Petri net. The configuration graph of M has as vertices all possible 
configurations of N and the edges represent the possible transitions between 
configurations. 

Now, let M = (P,T,F,M) be a Petri net, where P = {pi,p 2 } , T = 
{t}, F{ Pl ,t) = 2, F(t,p 2 ) = 3 and M = (4,5). Let M = (S,R,V) where 
S = 0*10*, R the transition relation of the configuration graph of N and V the 
valuation defined by V (p) = 0010* and V (q) = 0*1000. Then M is a RKM and 
can be presented by the various machines in Figure 2] 



Fig. 4. A finite presentation M.: Ai,A 2 and A 3 recognize S, V (p) and V (q) 
respectively, and T recognizes R. 
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4 Synchronized products of transducers and automata 



In this section e will denote the empty word, but will also be treated as a special 
symbol in an extended alphabet. 

Definition 4. Let u be a word in some alphabet r and 7 G r. The 7 -reduction 

of u, denoted u| 7 , is the word obtained from u after deleting all occurrences of 
7. Likewise, if Y is a language in the alphabet r, then the ^-reduction of Y , 
denoted Y\^, is the language consisting of all ^-reductions of words in Y . 

Lemma 1. If Y is a regular language over an alphabet r then F| 7 is a regular 
language over the alphabet r — {7}. 

Proof. (Sketch) An automaton A\-y recognizing F| 7 , called here the 7-reduction 
of A can be constructed from an automaton A recognizing Y as follows: 

1. Remove all 7-transitions. 

2. Add (q,j',q") as a transition in A\ 7 whenever (<?, 7,(7') and (q',Y,q") are 
transitions in A and 7^7'. 

3. Finally, define the accepting states of A\*y as all accepting states of A plus 

those states q such that (q — > q') in A and q' is an accepting state in A. 

< 

Definition 5. A run of a finite automaton A = (Q, S, q°, F, 5) is a sequence 
of states and transitions of A: qo ^ qi ^ q 2 ■ ■ ■ ^ q n , such that q a = q° , 
Qj £ Q, xj G E, and qj G 5 {qj-i, Xj) for every j = 1, 2, . . . , n. 

A run is accepting if it ends in an accepting state. 

Run and accepting runs of transducers are defined likewise. 

Definition 6. A stuttering run of a finite automaton A = (Q, S, q°, F, 5) is 

a sequence qo — > qi ^ qi ■ ■ ■ ^ q n , such that qo — q° , qj G Q, and either Xj G S 
and qj G S (qj_\,Xj), or Xj — e and qj = qj-\ for every j = 1, 2, . . . , n. 

Thus, a stuttering run of an automaton can be obtained by inserting e- 
transitions from a state to itself into a run of that automaton. If the latter run 
is accepting, we declare the stuttering run to be an accepting stuttering run. 

A stuttering word in an alphabet S is any word in S U {e}. 

The stuttering language of the automaton A is the set L e (A) of all stut- 
tering words whose ^-reductions are recognized by A; equivalently, all stuttering 
words for which there is an accepting stuttering run of the automaton. 

Definition 7. Let T = (Qt, £ , Ft, pr) be a transducer, and let A be a 
(non- deterministic) finite automaton given by A= (Qa, ZJ> <f^ ^Ai $a)- 
The synchronized product of T with A is the finite automaton: 

TAA = (Qt* Qa, S, («§-, q A ) , Ft x F a , 5 T aa) 

where 5ta.a '■ (Qt x Qa) x U { £ }) ~~ * 'PIQt x Qa) is such that, for any 
Pt,Pt e Qt andp\,p\ G Qt then (pt,Pa) e s taa ((pt>Pa) > x ) if and onl D 
if 



1. either there exists ay € £ such that 8_a {p\i v) = p\ an d {pt-> x > ViPti ^ Pt ' > 

2. or (p T ,x,e,p T ) S pr andp\=p\. 



Note that every run Rtxa = (Pt^Pa) ~^ (PtiPa) ' ' ' ~^ (Pt^Pt) 01 the 
automaton T A A can be obtained from a pair: 

n ("i/tui) 1 (M2/W2) 2 («»K) n • t- 

a run Hr — Pt — ► P7- — > P7- • • • — > P7- m i , 
and a stuttering run = — > — > • • • — > m .A, 

by pairing the respective states pij- and and removing the output symbol Wj 
for every j = 1, 2, . . . , n. 

Let the reduction of R^ be the run i?^ = 1a ~^ l\ ~* Qa. " " ~^ 1A' with 
m < n. Then we say that the run Rtxa is a synchronization of the runs 
Rt and i?^. 

Note, that the synchronization of accepting runs of T and A is an accepting 
run of Rtxa- The following lemma is now immediate: 

Lemma 2. LetT = (Q T , £,q T , Ft, Pt) be a transducer recognizing the relation 
R(T) and let A = (Qa, E,q A , F_a,Sa) be a finite automaton recognizing the 
language L(A). Then the language recognized by the synchronized product of T 
and A is 

L(T AA) = {u\3we L t (A)(uR(T)w).} 



5 Model checking of K t in rational Kripke models 

In this section we will establish decidability of the basic model checking problems 
for formulae of K 4 in rational Kripke models. 

Lemma 3. Let S be a finite non-empty alphabet, X C S* a regular subset, and 
let R C S* x S* be a rational relation. Then the sets 

(R) X = {ue S*\3v e X(uRv)} 

and 

(R-^X = {u e S*\3v e X(vRu)} 
are regular subsets of S* . 

Proof. This claim essentially follows from results of Nivat (see Q]). However, us- 
ing Lemmas [T] and [U we give a constructive proof, which explicitly produces au- 
tomata that recognize the resulting regular languages. Let A be a finite automa- 
ton recognizing X and T be a transducer recognizing R. Then, the e-reduction 
of the synchronized product of T with A is an automaton recognizing (R) X; 
for (R^ 1 ) X we take instead of T the transducer for R^ 1 obtained from T by 
swapping the input and output symbols in the transition relatiorQ. < 

4 Note that, in general, the resulting automata need not be minimal, because they 
may have redundant states and transitions. 



Example 5. Consider the automaton A and transducer T in Figure The lan- 
guage recognized by A is X = 1* (1 + + ) and the relation R recognized by T is 
R= {(l"0,10"l) m (l fc ,10 fc ) | n,m,k G N}u{(l™0, 10™l)' m (01 fc ,ll fe ) | n,m,keN}, 
where X\X 2 denotes the component-wise concatenation of the relations X\ and 
X 2 , i.e., XiX 2 = {(wi«2)Vi«2) I (ui,vi) G Xi,(u2)«2) £ ^2}- For instance, 
if we take n = 1, m = 2 and fc = 3 we obtain that (10, 101) 2 (1 3 , 10 3 ) = 
(1010111, 1011011000) G R (coming from the first set of the union) and 
(10, 101) 2 (01 3 , ll 3 ) = (10100111, 1011011111) G R (coming from the second set 
of that union) . 

Then, the synchronized product T A.A is the finite automaton given in Figure 
[S] recognizing (R) X — 0* + 0*1 + . Note that it can be simplified by removing 
redundant states and edges. 



Fig. 5. The automaton A and the transducer T. 




Fig. 6. The synchronized product T A. A recognizing (R) X. 
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Theorem 1. For every formula ip G Kf and rational Kripke model M. — (£*,R, V), 
the set 1<pIm * s a rational language, effectively computable from ip and the ra- 
tional presentation ofM. 

Proof. We prove the claim by induction on ip. 

1. If ip is an atomic proposition, the claim follows from the definition of a 
rational model. 

2. The boolean cases follow from the effective closure of regular languages under 
boolean operations. 

3. If <p = (R)ip then \<p\m — {R) \$\m, which is regular by the inductive 
hypothesis and Lemma [3] Likewise for the case <p = (R^ 1 ) ip- < 

We now consider the following algorithmic model checking problems, where 
the Kripke model is supposed to be given by some effective presentation: 

1. Local model checking: given a Kripke model M., a state s in M., and a formula 
ip of K t , determine whether M., s (= ip. 

2. Global model checking: given a Kripke model M. and a formula ip of K t , 
determine (effectively) the set \<p\m of all states in M. where ip is true. 

3. Checking satisfiability in a model: given a Kripke model M. and a formula ip 
of K t , determine whether \<p\m ¥ 1 ^- 

Corollary 1. Local model checking, global model checking, and checking satis- 
fiability in a model, of formulae in K t in rational Kripke models are decidable. 

Proof. Decidability of the global model checking follows immediately from Theo- 
rem!]] Then, decidability of the local model checking and of checking satisfiability 
in a rational model follow respectively from the decidability of membership in a 
regular language, and of non-emptiness of a regular language (see e.g., [E]). < 

6 Complexity 

We will now attempt to analyze the complexity of global model checking a 
formula in Kt on a rational Kripke model. Depending on which of these is fixed, 
we distinguish two complexity measures (see e.g., [TB]): formula (expression) 
complexity (when the model is fixed and the formula is feeded as input) and 
structure complexity (when the formula is fixed and the model is feeded as 
input). 

6.1 Normal forms and ranks of formulae 

We will first need to define some standard technical notions. 

A formula <p S K t is in negation normal form if every occurrence of the 
negation immediately precedes a propositional variable. Clearly every formula 
ip G Kt is equivalent to a formula ip G Kt in negation normal form, of size linear 



in the size <p. For the remainder of this section, we will assume that a formula ip 
we wish to model check is in a negation normal form. 

The modal rank of a formula counts the greatest number of nested modalities 
in the formula, while the alternating box (resp., diamond) rank of a formula 
counts the greatest number of nested alternations of modalities with an outmost 
box (resp., diamond) in that formula. Formally: 

Definition 8. The modal rank for a formula ip G K t , denoted by mr (ip) is 
defined inductively as follows: 

1. if p is an atomic proposition, then mr (p) = and mr (~>p) = 0; 

2. mr (<j)\ V ip 2 ) = mr (pi A ip 2 ) — max {mr (ip\) , mr (^2)}; 

3. mr (A ip) = mr (ip) + 1 where AG { [R] , (R) , [R^ 1 ] , (iT 1 ) } • 

Definition 9. The alternating box rank and alternating diamond rank 

of a formula p G K t; denoted respectively by ar a (p) and arc(p), are defined by 
simultaneous induction as follows, where AG {DjO}: 

1. if p is an atomic proposition, then ar A (p) = and ar A = 0; 

2. ar A (tpi V ip 2 ) = ar A (ipi A ip 2 ) = max {ar A (^1) , ar A (^2)}; 

3. arc, ((R) "0) = ar a (ip) + 1 and ar a ((R) ip) — ar a (ip)- 
Likewise for ar<y ((i?" 1 ) ip) and ar n ((i?" 1 ) ip) . 

4- ar a ([R] ip) = arc, (ip) + 1 and arc ([R] ip) — arc (ip). 
Likewise for arc {[R~ 1 ] ip) an d ar n ([-R -1 ] if)- 

Finally, the alternation rank of p, denoted ar (p) is defined to be 

ar (p) — max {ar a (p) , arc (p)} ■ 

For instance, ar n ([R\ ((R) [R]pV [R] [iT 1 ] ->q)) = 3 and ar ([R] ((R) [R]pV 
[R] [R- 1 ] ->q)) = 2, hence ar([R] ((R) [R]pV[R] [R- 1 ] ~^q)) = 3. 

6.2 Formula complexity 

We measure the size of a finite automaton or transducer M by the number of 
transition edges in it, denoted \M\. 

Proposition 1. If A is an automaton recognizing the regular language X and 
T a transducer recognizing the rational relation R, then the time complexity of 
computing an automaton recognizing (R) m X is in 0(|T| m |.4|). 

Proof. The size of the synchronized product TAA of T and A is bounded above 
by |T||^4| and it can be computed in time 0(|T||„4|). The claim now follows by 
iterating that procedure m times. < 

However, we are going to show that the time complexity of computing an 
automaton recognizing [R] X is far worse. 

For a regular language X recognized by an automaton A, we define Rx = 
{(u, e) \u G X}. A transducer T recognizing Rx can be constructed from A by 
simply replacing every edge (q, x,p) in A with the edge (q, x,e,p). 



Lemma 4. Let X be a regular language. Then the complementation X of X 
equals [Rx] 0- 

Proof. Routine verification. < 

Consequently, computing [Rx] 9 cannot be done in less than exponential time 
in the size of the (non-deterministic) automaton i for X. This result suggests 
the following conjecture. 

Conjecture 1. The formula complexity of global model checking of a Kj-formula 
is non-elementary in terms of the alternating box rank of the formula. 

6.3 Structure complexity 

Next we analyze the structure complexity, i.e. the complexity of global model 
checking a fixed formula tp 6 Kt on an input rational Kripke model. Here the 
input is assumed to be the transducer and automata presenting the model. 

Fix a formula tp £ K t in negation normal form, then for any input rational 
Kripke model Ai there is a fixed number of operations to perform on the input 
transducer and automata that can lead to subsequent exponential blowups of 
the size of the automaton computing [</3]x- That number is bounded by the 
modal rank mr (tp) of the formula tp, and therefore the structure complexity is 
bounded above by an exponential tower of a height not exceeding that modal 
rank: 

2 \T\\A\ 

„...(mr(<p) times)'" 

However, using the alternation rank of tp and Proposition[T]we can do better. 

Proposition 2. The structure complexity of global model checking for a fixed 
formula tp G K t on an input rational Kripke model M., presented by the trans- 
ducer and automata {T,A\, . . . ,A n }, is bounded above by 

^...{artip) times) 

where P (|T|) is a polynomial in \T\ with leading coefficient not greater that n2 c 
where c < max{|.Ai| | i = 1, . . . n} and degree no greater than mr (tp). 

Proof. The number of steps in the computation of following the struc- 

ture of tp, that produce nested exponential blow-ups can be bounded by the 
alternation rank, since nesting of any number of diamonds does not cause an 
exponential blow-up, while nesting of any number of boxes can be reduced by 
double complementation to nesting of diamonds; e.g., [R] ([R] [R]p V ~~ , <z) 
can be equivalently re-written as -> (R) ((R) (R) ->p A (R^ 1 ) ?)• The initial syn- 
chronized product construction (when a diamond or box is applied to a boolean 
formula) produces an automaton of size at most 2 C |T|, the number of nested 
product constructions is bounded above by mr (tp), and each of these multiplies 
the size of the current automaton by \T\. In the worst case, all alternations would 
take place after all product constructions, hence the upper bound. < 



7 Model checking extensions of K t on rational models 



7.1 Model checking hybrid extensions of Kt 

A major limitation of the basic modal language is its inability to refer explicitly 
to states in a Kripke model, although the modal semantics evaluates modal 
formulae at states. Hybrid logics provide a remedy for that problem. We will 
only introduce some basic hybrid logics of interest here; for more details consult 

e.g., m- 

The basic hybrid tense logic H t extends the basic tense logic K t with a set of 
new atomic symbols called nominals which syntactically form a second type 
of atomic formulae, which are evaluated in Kripke models in singleton sets of 
states. The unique state in the valuation of a nominal is called its denotation. 
Thus, nominals can be used in H t to refer directly to states. 

Here is the formal definition of the set of formulae of H f : 

tp=p\i\-«p\<pV <f>\ (R)<p\ (iT 1 )^, 

where i 6 & and p £ <l>. 

The basic hybrid logic H t can be further extended to H t (@) by adding the 
satisfaction operator @, where the formula @iip means l ip is true at the denotation 
ofi\ A more expressive extension of Ht is Ht(U) involving the universal modality 
with semantics Ai,v \= [U]p iff Ai, w \= tp for every w E Ai. The operator @ is 
definable in H t (U) by @iip := [U](i — » p). Moreover, H t can be extended with 
the more expressive difference modality (D) (and its dual [D] ) , where Ai , v |= 
(D)tp iff there exists a w ^ v such that Ai, w \= (p. Note that [U] is definable in 
H t (D)by [U]p:=pA[D]p. 

Yet another extension of H t (@) is H t (@, J.) which also involves state vari- 
ables and binders that bind these variables to states. Thus, in addition to H t (@), 
formulae also include [x.p for x a state variable. For a formula <p possibly con- 
taining free occurrences of a state variable a;, and w a state in a given model, 
let ip [x <— i w ] denote the result of substitution of all free occurrences of a; by a 
nominal i w in ip, where w is the denotation of i w . Then the semantics of [x.p is 
defined by: Ai, w \=lx.(p iff A4, w (= <p [x <— i w ] ■ 

Proposition 3. For every formula ip of the hybrid language H t (Z?) (and there- 
fore, ofH t (@) and o/H t (U) ) and every rational Kripke model Ai, the set \p\m 
is an effectively computable rational language. 

Proof. The claim follows from Theorem Q] since the valuations of nominals, being 
singletons, are rational sets, and the difference relation D is a rational relation. 
The latter can be shown by explicitly constructing a transducer recognizing D in 
a given rational set, or by noting that it is the complement of the automatic rela- 
tion of equality, hence it is automatic itself, as the family of automatic relations 
is closed under complements (see e.g., [T3] or [5]). <i 

Corollary 2. Global and local model checking, as well as satisfiability checking, 
of formulae of the hybrid language H t (D) (and therefore, o/H t (@) and H t (U), 
too) in rational Kripke models are decidable. 



Proposition 4. Model checking of the H t (@, [)-formula [x. (R) x in H t (@, I) 

on a given input rational Kripke model is not decidable. 

Proof. Immediate consequence from Morvan's earlier mentioned reduction [20j 
of the model checking of BxRxx to the Post Correspondence Problem. < 

Proposition 5. There is a rational Kripke model on which model checking for- 
mulae from the hybrid language is undecidable. 

Proof. (Sketch) The rational graph constructed by Thomas [22] can be used to 
prove this undecidability, since the first-order properties queried there are also 
expressible in H t (@, |). < 



7.2 Counting modalities 

We now consider extensions of K t with counting (or, graded) modalities: 

— 0- k tp with semantics: 'there exist at least k successors where ip holds'; 

— 0- k ip with semantics: 'there exist at most k successors where ip holds'; 

— O k (p with semantics: 'there exist exactly k successors where ip holds'; 

— <y°°(f with semantics: 'there exist infinitely many successors where ip holds'. 

Clearly, some of these are inter-definable: <> k ip := 0- k <p A 0—<p, while 
0^ k (p := -iO^-V and 0^ k tp := -,0^ fe+ V 

We denote by C t the extension of K t with 0°°ip and all counting modalities 
for all integers k > 0. Further, we denote by C° the fragment of Ct where no 
occurrence of a counting modality is in the scope of any modal operator. 

Proposition 6. Local model checking of formulae in the language C° in rational 
Kripke models is decidable. 

Proof. First we note that each of the following problems: ' Given an automaton A, 
does its language contain at most / at least / exactly k / finitely / infinitely many 
words?' is decidable. Indeed, the case of finite (respectively infinite) language is 
well-known (see e.g., [IS], pp. 186-189). A decision procedural for recognizing if 
the language of a given automaton A contains at least k words can be constructed 
recursively on k. When k = 1 that boils down to checking non-emptiness of the 
language (ibid). Suppose we have such a procedure Pu for a given k. Then, a 
procedure for k + 1 can be designed as follows: first, test the language L(A) of 
the given automaton for non-emptiness by looking for any word recognized by 
it (by searching for a path from the initial state to any accepting state) . If such 
a word w is found, modify the current automaton to exclude (only) w from its 
language, i.e. construct an automaton for the language L(A) \ {uj}, using the 

5 The procedure designed here is perhaps not the most efficient one. but, it will not 
make the complexity of the model checking worse, given the high overall complexity 
of the latter. 



standard automata constructions. Then, apply the procedure Pfc to the resulting 
automaton. 

Testing L(A) for having at most k words is reduced to testing for at least 
k + 1 words; likewise, testing for exactly k words is a combination of these. 

Now, the claim follows from Theorem [1] Indeed, given a RKM M and a 
formula ip G C° , for every subformula O c ^ of tp, where O c is any of the counting 
modalities listed above, the subformula ip is in K t , and therefore an automaton 
for the regular language \4>\m is effectively computable, and hence the question 
whether O c ip is true at the state where the local model checking is performed 
can be answered effectively. It remains to note that every formula of is a 
boolean combination of subformulae O c ip where if) G K t . < 

At present, we do not know whether any of the counting modalities preserves 
regularity in rational models, and respectively whether global model checking in 
rational models of either of these languages is decidable. 

7.3 A presentation based extension 

Here we consider a 'presentation-based' extension of the multi-modal version of 
K t , where the new modalities are defined in terms of word operations, so they 
only have meaning in Kripke models where the states are labeled by words (such 
as the rational Kripke models) hereafter called Kripke word-models. 

To begin with, for a given alphabet E, with every language X C S* we can 
uniformly associate the following binary relations in S*\ 

XI := {(u,u) \u G X}; 

Jt := {(uv,v) \ueX,ve £*}. 

Proposition 7. For every regular language X C S* the relations XI and A* 
are rational. 

Proof. For each of these, there is a simple uniform construction that produces 
from the automaton recognizing X a transducer recognizing the respective re- 
lation. For instance, the transducer for A* is constructed as composition of the 
transducers (defined just like the composition of finite automata) for the rational 
relations {(it, e) | u G X} and {(v,v) \ v G £*}. The former is constructed from 
the automaton A for X by converting every a-transition in A, for a G S, to 
(a, e)-transition, and the latter is constructed from an automaton recognizing 
S* by converting every a-transition, for a G S, to (a, a)-transition. < 

This suggests a natural extension of (multi-modal) K t with an infinite family 
of new modalities associated with relations as above defined over the extensions 
of formulae. The result is a richer, PDL-like language which extends the star- 
free fragment of PDL with test and converse by additional program constructions 
corresponding to the regularity preserving operations defined above. We call that 
language 1 word-based star-free PDL (with test and converse) 1 , hereafter denoted 
WPDL. 



Formally, WPDL has two syntactic categories, viz., programs PROG and 
formulae FOR, defined over given alphabet S, set of atomic propositions AP, 
and set of atomic programs (relations) REL, by mutual induction as follows: 

Formulae FOR: 

tp ::=p | l a | ->ip | tp 1 Vtp 2 | (a)tp 

for p E AP, a E E, and a E PROG, where for each a E E we have added a special 
new atomic proposition l a , used further to translate extended star- free regular 
expressions to WPDL-formulae. 
Programs PROG: 

a ::= ir | at \ ct\ U a-i \ ct\ o a 2 | V? | ~0 

where 7r G REL and tp E FOR. 

We note that WPDL is not a purely logical language, as it does not have se- 
mantics on abstract models but only on word-models (including rational Kripkc 
models), defined as follows. Let M = (S, {-Rtt^pREL' V) be a Kripke word- 
model over an alphabet E, with a set of states S C E* , a family of basic 
relations indexed with REL, and a valuation V of the atomic propositions from 
AP. Then every formula tp E FOR is associated with the language \<p\m Q ^* \ 
defined as before, where \p\m : = V(p) for every p E AP and [Z ] := {a} n S for 
every a E E. Respectively, every program a is associated with a binary relation 
R a in E* , defined inductively as follows (where o is composition of relations): 

Rot/ • — R a ! 

Rotiootz • ^ai ° Roc2i 

- R v? := [tp]?, 
% := 14 

Lemma 5. For every WPDL-formulae <p,ip and a Kripke word-model KA: 

1. [W]M = MMnMM. 

2. \{~^)4 i \m — \<p\m'i WIm (where ; denotes concatenation of languages) . 
Proof. Routine verification: 

1. [(</??} ^l-M = {w E E* \ wR v ?v for some v E Mm} 

= {w E E* | w = v for some v E 1<p}m and v G Mm} = M.M H 

2. [(^)V'] x ={!C6^* W-R-^t; for some v E Mai} 

= {uv g E* | ne [^]a4,v € Mm} - M.m;M.m- 

< 

Corollary 3. for every WPDL-formula tp and a rational Kripke model A4, 
the language \p\m * s an effectively computable from tp regular language. 



Corollary 4. Local and global model checking, as well as satisfiability checking, 
of WPDL-formulae in rational Kripke models is decidable. 



Extended star-free regular expressions over an alphabet S arc defined as 
follows: 

E '.= a \ ~ 'i? | i U E2 I E\ 5 i?2 7 

where a G 17. Every such expression E defines a regular language L(E), where 
-1, U, ; denote respectively complementation, union, and concatenation of lan- 
guages. The question whether two extended star-free regular expressions define 
the same language has been proved to have a non-elementary complexity in [19 . 

Every extended star-free regular expression can be linearly translated to an 
WPDL-formula: 

- r(a) := l a , 

- t{^E) := ^t(E), 

- t(£iU£ 2 ) :=t(£i)Vt(£ 2 ), 

- t(E i; E 2 ) := (HE^)t(E 2 ). 

Lemma 6. Given an alphabet S, consider the rational Kripke model A4 S with 
set of states S* , over empty sets of basic relations and atomic propositions. 
Then, for every extended star-free regular expression E, 

L(E) = [t(E)} m z. 

Proof. Straightforward induction on E. The only non-obvious case E — E\\E 2 
follows from Lemma [5j < 

Consequently, for any extended star-free regular expressions E\ and E2, we 
have that L{E X ) = L(E 2 ) iff [t{Ei)\ M x = [r(£ 2 )W ifr M s \= t{E x ) ~ 
t(E 2 ). Thus, we obtain the following. 

Corollary 5. Global model checking of WPDL- formulae in rational Kripke 
models has non- elementary formula- complexity. 

Remark: since the Ij^-free fragment of WPDL is expressively equivalent to 
K f , a translation of bounded exponential blow-up from the family of extended 
star-free regular expressions to the latter fragment would prove Conjecture [T] 

8 Concluding remarks 

We have introduced the class of rational Kripke models and shown that all for- 
mulae of the basic tense logic K t , and various extensions of it, have effectively 
computable rational extensions in such models, and therefore global model check- 
ing and local model checking of such formulae on rational Kripke models are 
decidable, albeit probably with non-elementary formula complexity. 

Since model checking reachability on such models is generally undecidable, an 
important direction for further research would be to identify natural large sub- 
classes of rational Kripke models on which model checking of K t extended with 
the reachability modality (R)* is decidable. Some such cases, defined in terms 



of the presentation, are known, e.g., rational models with length- preserving or 
length- monotone transition relation 20J ; the problem of finding structurally de- 
fined large classes of rational models with decidable reachability is still essentially 
open. 

Other important questions concern deciding bisimulation equivalence be- 
tween rational Kripke models, as that would allow us to transfer model checking 
of any property definable in the modal mu-calculus from one to the other. These 
questions are studied in a follow-up to the present work. 
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